diff --git a/ams-cap-bookshop/pom.xml b/ams-cap-bookshop/pom.xml index eaa526c..0f5c754 100644 --- a/ams-cap-bookshop/pom.xml +++ b/ams-cap-bookshop/pom.xml @@ -21,7 +21,7 @@ https://nodejs.org/dist/ UTF-8 - 4.2.1 + 4.4.0 1.4.0 4.0.7 diff --git a/ams-cap-bookshop/srv/pom.xml b/ams-cap-bookshop/srv/pom.xml index 27bc419..5367397 100644 --- a/ams-cap-bookshop/srv/pom.xml +++ b/ams-cap-bookshop/srv/pom.xml @@ -76,7 +76,6 @@ com.sap.cloud.security.ams spring-boot-starter-cap-ams-test - test diff --git a/ams-cap-bookshop/srv/src/test/resources/application-test.yml b/ams-cap-bookshop/srv/src/test/resources/application-test.yml index 9e031dc..cdbff26 100644 --- a/ams-cap-bookshop/srv/src/test/resources/application-test.yml +++ b/ams-cap-bookshop/srv/src/test/resources/application-test.yml @@ -3,6 +3,7 @@ spring: sql: init: platform: h2 +sap.ams.test.enabled: true logging.level: com.sap.cds.security.authorization: TRACE com.sap.cloud.security.ams: TRACE diff --git a/ams-javalin-shopping/pom.xml b/ams-javalin-shopping/pom.xml index ffab2e5..790b7ad 100644 --- a/ams-javalin-shopping/pom.xml +++ b/ams-javalin-shopping/pom.xml @@ -15,7 +15,7 @@ 17 UTF-8 - 4.3.0 + 4.4.0 1.4.0 0.31.0 7.2.2 diff --git a/ams-spring-boot-shopping/pom.xml b/ams-spring-boot-shopping/pom.xml index 94c5b19..56f1ab8 100644 --- a/ams-spring-boot-shopping/pom.xml +++ b/ams-spring-boot-shopping/pom.xml @@ -24,7 +24,7 @@ 17 UTF-8 3.5.10 - 4.3.0 + 4.4.0 1.4.0 4.0.8 5.32.0 diff --git a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java index 6505780..19d488f 100644 --- a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java +++ b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java @@ -11,6 +11,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; +import static com.sap.cloud.security.ams.samples.config.Privileges.*; import static org.springframework.http.HttpMethod.*; /** @@ -29,7 +30,7 @@ @Configuration @EnableWebSecurity @EnableMethodSecurity -@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" }) +@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = {""}) public class SecurityConfiguration { @Bean @@ -41,17 +42,19 @@ public SecurityFilterChain filterChain(HttpSecurity http, AmsRouteSecurity via) // Authenticated endpoints without authorization checks authz.requestMatchers(GET, "/privileges").authenticated(); - // Endpoints protected with AMS method-level security + // CHOOSE ONE idiom below (route-level authorization + service-level filtering vs. full service-level authorization + + // Idiom 1 (Full service-level authorization): these endpoints are protected with AMS method-level security authz.requestMatchers(GET, "/products").authenticated(); authz.requestMatchers(GET, "/orders").authenticated(); authz.requestMatchers(POST, "/orders").authenticated(); authz.requestMatchers(DELETE, "/orders/**").authenticated(); - // Showcases alternative endpoint protection via AMS route-level security - // authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); - // authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); - // authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); - // authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); + // Idiom 2 (route-level authorization + service-level filtering) Showcases alternative endpoint protection via AMS route-level security (+ service-level filtering) + authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); + authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); + authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); + authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); // Deny all other requests authz.anyRequest().denyAll();